Re: Windows XP SP2 Firewall - Developer Implications IPv4 inbound connections for services
From: Michael Kleef [MSFT] (mkleef_at_online.microsoft.com)
Date: 07/26/04
- Next message: Doug Knox MS-MVP: "Re: trouble with windows xp and getting to secured sites"
- Previous message: Brenda: "trouble with windows xp and getting to secured sites"
- In reply to: Scott Herriman: "Windows XP SP2 Firewall - Developer Implications IPv4 inbound connections for services"
- Next in thread: AndyC: "Re: Windows XP SP2 Firewall - Developer Implications IPv4 inbound connections for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 13:58:40 +0800
Let me clarify:
Ill make some assumptions first.
1. We're using Windows XP SP2.
2. Windows Firewall allows outbound traffic (and associated responses for a
period of time)
3. Windows Firewall blocks inbound traffic (including app listeners running
locally on the machine) unless exceptions exist
The statement made below says that inbound traffic will not be allowed
unless you explictly add a rule to the firewall to allow the traffic inwards
and thus expose a port that your app is needing to have exposed for
communications. You can programmatically add the port exception so that the
user is not prompted when the app needs to communicate. By default, Windows
Firewall will prompt the user to open a port exception in the list if the
user agrees to the dialog UI (that was caused by the app trying to open a
listener port).
The reason this article indicates that this may not be a good idea is that
it reduces the system's administrator's ability to manage the firewall rules
centrally through Group Policy. If you do this in code and someday a
vulnerability is found that exploits this port the sys admin will have no
way to shut it down and your app could place that business at risk.
Does that help??
Michael Kleef
mkleef@microsoft.com
Microsoft
"Scott Herriman" <sch@callwave.com> wrote in message
news:em1f$TRcEHA.2388@TK2MSFTNGP11.phx.gbl...
>I have a question regarding the MSDN help for Windows XP SP2 on the page,
> "Firewall - Developer Implications" in the section entitled "IPv4 inbound
> connections for services"
> http://msdn.microsoft.com/security/productinfo/XPSP2/networkprotection/firewall_devimp.aspx
>
> The paragrah in question reads (see link for more context):
> "If the user does not consent, then the service should still use the
> INetFwV4OpenPort COM interface to add rules to Windows Firewall to open
> the
> fixed port or ports needed by the service. These rules, however, should
> not
> be enabled so that an administrator can easily turn the rules on if
> necessary at a later time."
>
> I do not understand the last sentence? Can some one clarify what they
> mean.
>
> Is this the same sentiment as found under the heading "IPv4 Inbound
> Connections for Services" on another page?
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/securityinxpsp2.asp
> I think that on the second page they are more clear when they say:
> "If the user does not consent, then the service should still use the
> INetFwV4OpenPort API to add rules to ICF to open the fixed port or ports
> needed by the service. However, these rules should not be enabled. "
>
> Sorry for the cross post I think that it should be on topic for the most
> part. I am hoping that one of MS guys will read this and see if they can
> clearup the confusion on the page in question.
>
> Thanks,
> Scott
>
>
- Next message: Doug Knox MS-MVP: "Re: trouble with windows xp and getting to secured sites"
- Previous message: Brenda: "trouble with windows xp and getting to secured sites"
- In reply to: Scott Herriman: "Windows XP SP2 Firewall - Developer Implications IPv4 inbound connections for services"
- Next in thread: AndyC: "Re: Windows XP SP2 Firewall - Developer Implications IPv4 inbound connections for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
